Announcement Announcement Module
Collapse
No announcement yet.
Is this a bug in FilterSecurityInterceptor or a "feature"? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is this a bug in FilterSecurityInterceptor or a "feature"?

    We have our FilterSecurityInterceptor loaded with lots of URLs using regex path-type. For example we have:

    Code:
    <sec:filter-security-metadata-source path-type="regex">
        <sec:intercept-url pattern="\A/somepath\.html.\Z" access="ROLE_PRIVILEGED_USER"/>
         ...
         ...
    </sec:filter-security-metadata-source>
    When I enter the URL "http://<server:8443>/somepath.html" with the correct privileges I am successfully granted access to the page.

    When I enter the URL "http://<server:8443>/somepath.html" without the correct privileges I am successfully blocked access to the page.

    When I enter the URL "http://<server:8443>/somePath.html" without the correct privileges I am granted access to the page when I shouldn't be (Note the capital "P" in the URL).

    I read that regex is case sensitive which is unlike ant path-type which is case insensitive. Since "somePath.html" is not matched the request is passed to SomePathController and hence everything works correctly. If I do something like "soMepath.html" I get a page not found since it doesn't match the interceptor patterns and doesn't find a matching Controller.

    Is this the way it is supposed to work?

    Further, how do you make regex pattern noted above case insensitive?

    P.S. - We need to use regex because we check query parameters in the intercept patterns.
Working...
X